OK,
First, what everybody else has said : DOCUMENT THE LIVING FUCK OUT OF THIS AND HOW YOU FOUND IT AND PROOF THAT YOU'RE REPORTING IT.
Second, Report to your direct boss. Print copies of all emails in that chain and document well.
If your boss ignores it then you have a choice of cover your ass and look for something else to do, or find out what kind of database and information is in it. If it falls under the rules of anything that says "PCI" (credit card info), "SOX"(banking/stock info), or "HIPAA"(health and personal information) ask if your company has a compliance and regulatory department and report to them.
You're either going to be a goddamn hero, or your company will try to pin it on you. Good luck and godsspeed.
disclaimer : I work for a company that does network and information security and auditing, and you will be shocked how often this type of things is either ignored and/or swept under the rug until shit blows up. Be careful.